This article covers setting up both SAML-based single sign-on and SCIM-based user and group provisioning.
Setting up SAML-based single sign-on (SSO)
SAML-based single sign-on (SSO) gives members access to Fulcrum through an identity provider (IdP) of your choice. SSO is available with certain plans and can be enabled by your Account Manager.
Fulcrum’s SSO can be used with any directory management system that supports the SAML standard; we’ve also published apps with two of the most popular identity management platforms: Okta and Microsoft’s Entra ID (formerly Azure Active Directory) service. Each platform provides preconfigured apps that simplify provisioning within your directory.
Our SSO integration isn’t limited to these platforms, however. Other SAML-based systems that work with Fulcrum include Auth0, G Suite, Bitium, Microsoft ADFS, OneLogin, Centrify, and more.
What to Expect after Enabling SSO
Fulcrum supports a mixed environment of both managed (SSO) and unmanaged (Standard Fulcrum login) users.
Existing unmanaged members can be migrated to managed members if they are not members of any other Fulcrum Organizations.
SSO managed members can have the same email as existing Fulcrum system (unmanaged) members.
Only members with an Owner system role can add unmanaged members once SSO has been enabled.
If you need to migrate existing users to SSO, please contact your account executive or CSM to coordinate that process.
Step 1: Configure your Identity Provider
To set up SSO for your Fulcrum organization, you'll need to create a connection between Fulcrum and your IdP. Fulcrum SSO can be configured to use any IdP that supports the SAML 2.0 specification.
Fulcrum supports Service Provider (SP) and Identity Provider (IdP) Initiated SSO.
Fulcrum supports Just In Time (JIT) user provisioning.
Fulcrum expects the following attributes in the SAML response:
first_name
,last_name
,email
. Therole
attribute is optional and will default to Fulcrum's default role if omitted.
Step 2: Exchange Metadata
Once your IdP is configured, send your SAML metadata to your Fulcrum Account Manager. We will establish a domain for your organization, ingest your metadata and provide the appropriate metadata for your IdP.
Remote System Parameters
SAML Endpoint URL (Identity Provider URL)
SAML Identity Provider Issuer (also called IdP Entity ID) (Optional)
SAML Public X.509 Certificate
Fulcrum Parameters
SAML Entity ID (Issuer)
SAML Single Sign On URL (Assertion Consumer Service URL) (ACS URL)
SAML Sign on URL (Shareable URL to Sign in to Fulcrum)
Step 3: Authenticate via SSO
Once SSO has been configured, you can authenticate to Fulcrum via your IdP on both the web and mobile apps. We can also optionally set a SAML timeout value to force authentication at a preset interval.
Note:
Be sure to review your Role settings to ensure the Default role is set as you expect before adding your SSO users.
When converting an unmanaged user to a managed user, users logged into the mobile app will be forced to re-authenticate when they next sync the app. The user will no longer be able to sign in using a password, and is signed out and will need to re-authenticate via SSO.
An organization can consist entirely of SSO managed members. Organizations must have at least one member and at least one Owner role.
Fulcrum requires the nameid
and the email list in the IdP to match.
Setting up SCIM-based user and group provisioning
Fulcrum supports user and group provisioning with the System for Cross-domain Identity Management (SCIM) standard.
SCIM-based provisioning allows you to:
Provision and deprovision Fulcrum users and groups efficiently through your identity provider (IdP).
Push Groups - Groups in your idP can be assigned to the Fulcrum application. The users in those groups will automatically be created and added as members to your Fulcrum organization. In addition, the groups themselves may be created in Fulcrum as Fulcrum groups.
Map Roles - When app roles are set up and assigned to users or groups in your idP, Fulcrum members will automatically be assigned the corresponding Fulcrum role.
Value SCIM-based provisioning provides:
Automate and simplify onboarding and offboarding new Fulcrum users
Security - deprovision users automatically when they leave your organization
Step 1: Get the API Token
In Fulcrum, generate and copy the API token.
Step 2: Enter the API Token in your identity management platform
Go to your identity management platform, such as Okta or Microsoft Entra ID (formerly Azure Active Directory, and use the token generated in Step 1 as your authorization header.
Related Articles:
Okta SCIM Guide
Note: Fulcrum SCIM integration with Entra ID (formerly Azure Active Directory) is currently under review with Microsoft and you will not see it on the Entra ID site yet. SCIM-based user provisioning can currently be manually configured to work between Entra ID and Fulcrum.
Step 3: Set a default member for record reassignment (optional)
Within Fulcrum's Organizational Profile Settings, set a default record reassignee. This ensures that when members are removed via SCIM deprovisioning or the API, their assigned records are automatically reassigned to the designated user.
Note:
The API tokens are bound to the user that created them. If the user or API key needs to be removed, the user provisioning SCIM integration needs to be updated.